Re: [tsvwg] I-D Action: draft-ietf-tsvwg-transport-encrypt-04.txt

Tom Herbert <tom@herbertland.com> Tue, 19 February 2019 18:10 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CFD2130F89 for <tsvwg@ietfa.amsl.com>; Tue, 19 Feb 2019 10:10:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6JNrtoART89V for <tsvwg@ietfa.amsl.com>; Tue, 19 Feb 2019 10:10:13 -0800 (PST)
Received: from mail-qk1-x72f.google.com (mail-qk1-x72f.google.com [IPv6:2607:f8b0:4864:20::72f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 937C7130EAB for <tsvwg@ietf.org>; Tue, 19 Feb 2019 10:10:13 -0800 (PST)
Received: by mail-qk1-x72f.google.com with SMTP id y140so230548qkb.9 for <tsvwg@ietf.org>; Tue, 19 Feb 2019 10:10:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FJnhJn2J1t7jan/sDjEx6whQVrA5dhJFRonMXjggT0s=; b=sIFsHVwXz+kweyPdklni5ZKA0vrqcGjAwz4G+KPoCsJmeFzIBnx8E8jNX+tJMUF2bh 1AihfwVlPEVoWDkUTpJlkPA443v829cZdMHRnUKZ95fwvdezYDjv6kbk9zlHLrDofvf7 oWezf257UonqErJ5mRojWV4MLlNZVJqO0Xrlaw7F0UMxBYZq0e6K4RdwyYfuMBeuFjhR pTkEJy6aa++QKJ0FNfNwXiUh798ybe4YWM+pcfNVl6QjTwLwrvJxn8YQjRpSafPJivc/ NA7hUaMkQMVm0UwbjnFZP3hfLM8eT+L8wYxnTLOZaZOdmrCKIX5Koj9KL0UG4+Vc1ccv O2ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FJnhJn2J1t7jan/sDjEx6whQVrA5dhJFRonMXjggT0s=; b=AVH64G7k4LzoiHrVG2UfMCAg7U9KRNlNa2qs0ftmT7ThTjfS24FvhGhwrOMxwd9hPg YpnRlzeWuqK6lFyP80x/Z/lvt2Jexy1gCHVmAf/YAmwqfsW0tSscf2Uq+AUVb4GztF4S +TasZVC8Ou+LKEqYO3YMt0/9PL5KpAB/V6glAVyb9sej0d/ylpX/E1g6NB5HX/CP+07o jV24D/36xXzyKtStgeJRKMlvcjQ8N4WPrPLrY9C5IxYIgd8nJzwGrWnN+YjegyNXD3fz gCyyHrU7awTneAq/SL98EdUAA3+XhtzVE1so+6qfAyHWcfBhbVyRuu/2yASIUCTpYOD/ MfJw==
X-Gm-Message-State: AHQUAua9h+gICYdQBeflSxT110Upn1G/jRMoz5+hL4l3aBD5w6A+Fk6Z E/IUJVp2JZDB3PsQ/u1NlCdOsaTv7/GpWNaBio614TObknNXzQ==
X-Google-Smtp-Source: AHgI3Iarbq6TlSzcKJuBPns+vxUVk6/3TGgVQqZFxe6f+L3mno8LdMxRCSPkNQhbvop29EzsKjzyjG4OXk3fWCPzVoE=
X-Received: by 2002:a37:7885:: with SMTP id t127mr21940913qkc.323.1550599812272; Tue, 19 Feb 2019 10:10:12 -0800 (PST)
MIME-Version: 1.0
References: <155052226474.25978.1700439564007128149@ietfa.amsl.com> <CALx6S34o08DY-v-1S59VAerwpnf3wD6puNGe-Jq90aswYdK8Xw@mail.gmail.com> <5C6C3F9C.1070601@erg.abdn.ac.uk>
In-Reply-To: <5C6C3F9C.1070601@erg.abdn.ac.uk>
From: Tom Herbert <tom@herbertland.com>
Date: Tue, 19 Feb 2019 10:10:01 -0800
Message-ID: <CALx6S35WuRra0njfY=HOCaF8v9ampkTG612nbjKwid=CHQNumQ@mail.gmail.com>
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Cc: tsvwg <tsvwg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/2ESi2ZYYzYQmw1Qa4KTYsbceKJY>
Subject: Re: [tsvwg] I-D Action: draft-ietf-tsvwg-transport-encrypt-04.txt
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2019 18:10:20 -0000

On Tue, Feb 19, 2019 at 9:40 AM Gorry Fairhurst <gorry@erg.abdn.ac.uk>; wrote:
>
> On 19/02/2019, 17:13, Tom Herbert wrote:
> > Hello,
> >
> > I am still having a hard time believing that need for operators to
> > inspect and process transport layer information in ad hoc ways
> > remotely outweighs the need for users' security and privacy and to
> > impede protocol ossification.
> Whatever you c
> > Regardless of the arguments in the
> > draft, I believe that the trend will be more use of encryption even in
> > the transport layer.
> That certainly is the way it looks, to summarise the draft says:
> "
>
>     As seen, different transports use encryption to protect their header
>     information to varying degrees.  There is, however, a trend towards
>     increased protection with newer transport protocols.
>
> "
> > Consequently, it would be nice if the draft had
> > more discussion about alternative means for network devices to get the
> > information about the transport layer that they need.
> Our guidance on scoping means that we can include deployed methods, are
> there examples that you can tell us about?

Extension headers are one. I know in some proprietary datacenter
networks (like Google) there are whole systems that collect per flow
statistics and state from host endpoints. Getting transport
information from an endpoint is FAR more robust and accurate than
trying to infer the same information from an extremely limited
viewpoint somewhere within the network.

> > In particular, I
> > still think possibility of using extension headers is far too easily
> > dismissed by the draft (please see my previous comments about that).
> I also think there may be potential here in future, and would love to
> see this area explored - it is a topic in which I have research, and I
> believe you also. I can't however point yet to deployment examples in
> this area. Do you know more?

draft-hinden-6man-mtu-option, draft-ietf-ippm-ioam-data, draft-herbert-fast

More generally to the need for extension headers to work on the
Internet is demonstrated by segment routing.

Conversely, the draft floats the idea of purposely not encrypting
certain fields of a transport header for the purposes that
intermediate devices can parse them. What is the deployment experience
of that? What transport protocols been retrofitted that do that?

Thanks,
Tom

>
> Gorry
> > Tom
> >
> > On Mon, Feb 18, 2019 at 12:38 PM<internet-drafts@ietf.org>;  wrote:
> >>
> >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >> This draft is a work item of the Transport Area Working Group WG of the IETF.
> >>
> >>          Title           : The Impact of Transport Header Confidentiality on Network Operation and Evolution of the Internet
> >>          Authors         : Godred Fairhurst
> >>                            Colin Perkins
> >>          Filename        : draft-ietf-tsvwg-transport-encrypt-04.txt
> >>          Pages           : 43
> >>          Date            : 2019-02-18
> >>
> >> Abstract:
> >>     This document describes implications of applying end-to-end
> >>     encryption at the transport layer.  It identifies in-network uses of
> >>     transport layer header information.  It then reviews the implications
> >>     of developing end-to-end transport protocols that use authentication
> >>     to protect the integrity of transport information or encryption to
> >>     provide confidentiality of the transport protocol header and expected
> >>     implications of transport protocol design and network operation.
> >>     Since transport measurement and analysis of the impact of network
> >>     characteristics have been important to the design of current
> >>     transport protocols, it also considers the impact on transport and
> >>     application evolution.
> >>
> >>
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-transport-encrypt/
> >>
> >> There are also htmlized versions available at:
> >> https://tools.ietf.org/html/draft-ietf-tsvwg-transport-encrypt-04
> >> https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-transport-encrypt-04
> >>
> >> A diff from the previous version is available at:
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-tsvwg-transport-encrypt-04
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of submission
> >> until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> Internet-Drafts are also available by anonymous FTP at:
> >> ftp://ftp.ietf.org/internet-drafts/
> >>
>